OSNews is Exploring the Future of Computing

Linked by Iain Alexander on Thu 17th Apr 2003 07:28 UTC

Several days ago I wrote a rather scathing article about my utter dismay and disappoint with Mandrake 9.1 and by association, Linux as a whole. Since then I have had many many flames and equally as many agreeing emails (is there a simple opposite word for flame?) Since then I have been trying, really really trying to get my system working fully. But time and again I'm coming up against the same brick wall of (un)usability, computer esotericism and down right idiocy.

0 · Read More · 119 Comment(s)

http://osne.ws/2jo

Permalink for comment
To read all comments associated with this story, please click here.

By Iain Alexander's reasoning, XP is not ready for the desktop.

by NZheretic on Thu 17th Apr 2003 12:06 UTC

Even Microsoft XP does not function "perfectly" ...

Plenty of Freezes ...

http://groups.google.com/groups?scoring=d&num=100&q=Freeze+group:mi...

http://www.google.com/search?q=XP+Freeze

Plenty of Crashes ...

http://groups.google.com/groups?scoring=d&num=100&q=Crash+group:mic...

http://www.google.com/search?q=XP+Crash

And in many cases there are no Drivers for XP

http://groups.google.com/groups?num=100&scoring=d&q=%22no+drive...

http://www.google.com/search?num=100&q=%22No+drivers+for+XP~*~@...

http://www.google.com/search?num=100&q=%22NO+support+for+XP~*~@...

So by Iain Alexander's, and a few other Troll-like-articles,line of thinking. Microsoft XP must be totally unsuitable for the Desktop, and it is wrong for Microsoft to market XP as a suitable desktop.

In fact, the issues Iain, and others have brought up in recent OSNEWS "articles", are minor niggles in comparison to the endemic failure of Microsoft toward the security of it's own products and services and products

Microsoft was notified of the Issues, concerning only Microsoft implementation of the JVM, on September 2nd 2002 and after SEVEN MONTHS on April 9th 2003, Microsoft have issued an update to fix the problem.

Such a delay with such a serious vulnerability is so abysmal that it borders on the absurd.

Quality and security are measures which only mean something when compared relatively to another.

There is no absolutely secure, therefore you must expect, that once a vulnerability is made known to the vendor, the vendor should do their utmost to close the Window of Exposure ( http://www.counterpane.com/window.html ) as soon as possible.

For example, with the lastest SAMBA vulnerability, once notified, the SAMBA developer owned up to the mistake and the SAMBA project released a patch within 48 hours.Redhat has already backported the patch into their distributions RPMs. Similarly any major security issues in Mozilla and Netscape browser are also fixed and updateable within a couple of days

Meanwhile, there are currently 13 KNOWN unpatched vulnerabilities in Microsoft's Internet Explorer ( http://www.pivx.com/larholm/unpatched/ ).
Some DANGEROUSLY EXPLOITABLE have not been fixed in over a year ( http://security.greymagic.com/adv/gm002-ie/ ). That Microsoft has not rewritten the scripting system embedded with IE so that it is sandboxed by default is bad enough, but to have such major unpatched vulnerabilities exposed for months is abysmal.

Other inherent vulnerabilities, such as the Shatter attack ( http://security.tombom.co.uk/moreshatter.html ), Microsoft has known about since 1994!

Even if the API/call flaw is inherently unfixable, that is plenty of time for Microsoft to implement a safer methord/systemcall/API, adapt it's own applications to use the safer methord and depreciate the unsafe API.

It also appears that Microsoft 's own implementation of SMB is vulnerable and Microsoft has known about it for over eight years ( http://developers.slashdot.org/comments.pl?sid=59960&cid=5681769 ), but Microsoft either choose not to, or cannot fix the problem themselves.

Microsoft is clearly not closing the vulnerabilities they are aware that exist in their products and services.

A year after after Bill Gate's Email promoting securtiy over functionality, Microsoft by choice, remains neither secure or trustworthy.

Microsoft's attitude towards the security of it's products, service and customers is abysmal.

From Jason Coombs' A response to Bruce Schneier on MS patch management and Sapphire ( http://www.securityfocus.com/archive/1/315158 )
QUOTE
Microsoft Baseline Security Analyzer (MBSA) and Microsoft's version of HFNetChk both failed to detect the presence of the well-known vulnerability in SQL Server exploited by Sapphire, which is one of the reasons so many admins (both inside and outside MS) had failed to install the necessary hotfix. MBSA and HFNetChk are Microsoft's official patch status verification tools meant to be used by all owners of Windows server boxes ...

....In addition to designing MBSA to avoid scanning for SQL Server vulnerabilities, failing to update mssecure.xml reliably and in a timely manner, deprecating HFNetChk by pushing the MBSA GUI as its preferred replacement, and hiding the details of the technical limitations and internal security assumptions made by design in Microsoft's security analysis tools, Microsoft pushes Windows Update (windowsupdate.com) as a safe and reliable way to keep Windows boxes up-to-date. Unfortunately, Windows Update isn't designed to supply or verify the presence of SQL Server hotfixes, either.

None of Microsoft's own hotfix/patch status scanning tools designed to prove "baseline security" were able to help administrators avoid Sapphire. This entire scenario, this comedy of errors, illustrates the security risk created by any organization that pushes security around from department to department, passing the buck and hoping that somebody else will know how to deal with the problem. The result is a system so flawed that it borders on the absurd.
UNQUOTE

Because of this continued inherent attatude to security, Microsoft's products and services should be considered UNSECURE by default.

Not only that, but by Microsoft own declaration, it's going to be another FOUR OR FIVE YEARS before Microsoft's security issues are addressed, with the release of the now renamed Palladium (NGSCB - which sounds like an old soviet "security" agancy to me ). Microsoft appears to be targeting it's "trusted platform" efforts toward the security of Microsoft's own profits and maintaining it's own monopoly..

http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=...

Knowing this, are you and many of the more intelligent persuasion, going to limit yourself to the Microsoft desktop platform?

In comparison, the current issues with Linux are a lot more fixable, if not with your current distribution then with another targeted towards the beginner.